Netgate is offering COVID-19 aid for pfSense software users, learn more.
NTP Server Configuration¶
To configure the NTP Server:
Navigate to Services > NTP
Configure the settings as follows:
Select the interface(s) to use for NTP. The NTP daemon binds to all interfaces by default to receive replies properly. This may be minimized by selecting at least one interface to bind, but that interface will also be used to source the NTP queries sent out to remote servers, not only to serve clients. Deselecting all interfaces is the equivalent of selecting all interfaces.
- Time Servers
A list of servers to query in order to keep the clock of this firewall synchronized. This list is initially pulled from the entries under System > General Setup. For best results, we recommend using at least three servers, but no more than five. Click Add to configured additional time servers.
When checked, this NTP server entry is favored by the NTP daemon over others.
- No Select
When checked, this NTP server is not used for time synchronization, but only to display statistics.
- Orphan Mode
Orphan mode uses the system clock when no other clocks are available, otherwise clients will not receive a response when other servers are unreachable. The value entered here is the stratum used for Orphan Mode, and is typically set high enough that live servers are preferred. The default value is
- NTP Graphs
Check to enable RRD graphs for NTP server statistics.
When logging options are active, NTP logs are written using syslog and may be found under Status > System Logs, on the NTP tab.
- Log Peer Messages
When checked, NTP will log messages about peer events, information, and status.
- Log System Messages
When checked, NTP will log messages about system events, information, and status.
- Statistics Logging
Click Show Advanced to view these options. When enabled, NTP will create persistent daily log files in
/var/log/ntpto keep statistics data. The format of the statistics records in the log files can be found in the ntp.conf man page
- Log reference clock statistics
When checked, NTP records clock driver statistics on each update.
- Log clock discipline statistics
When checked, NTP records loop filter statistics on each update of the local clock.
- Log NTP Peer Statistics
When checked, NTP records statistics for all peers of the NTP daemon, along with special signals.
- Leap Seconds
Click Show Advanced to view these options. Defines the contents of the Leap Second file, used by NTP to announce upcoming leap seconds to clients. This is typically used only by stratum 1 servers. The exact format of the file may be found on the IETF leap second list
Access restrictions (ACLs) are configured on the ACL tab under Services > NTP. These ACLs control how NTP interacts with clients.
- Default Access Restrictions
Control behavior for all clients by default.
When set, NTP will send a KoD packet when an access violation occurs. Such packets are rate limited and no more than one per second will be sent.
ntpdcqueries that attempt to change the configuration of the server are denied, but informational queries are returned.
When set, all queries from
Setting this will effectively disable the NTP status page, which relies on
When set, NTP will deny all packets except queries from
- Peer Association
When set, NTP denies packets that would result in a new peer association, including broadcast and symmetric active packets for peers without an existing association.
- Trap Service
When set, NTP will not provide mode 6 control message trap service, used for remote event logging.
- Custom Access Restrictions
Defines the behavior for specific client addresses or subnets. Click Add to add a new network definition.
The subnet and mask to define the client controlled by the restrictions in this entry.
The option names are abbreviated versions of those in the default list, in the same order.
Click Save to store the ACLs.